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Abstract: Huge volume of security data from different security devices 
can over whel m secur i t y managers and keep t hem f r om per f or rri ng effective 
analysis and initiating timely response. Therefore, it is important to 
develop an advanced alert correlation syst em t hat can reduce alert 
redundancy, i nt el I i gent I y cor r el at e secur i t y alerts and det ect attack 
st r at egi es. I n t hi s paper , we pr oposed a new met hod of rri ni ng mil t i - st age 
attack behaviors pattern in order to recognize attacker's high-level 
strategies and predict upcorri ng attack intentions. We apply a reformative 
Apriori algorithm to nine frequent attack sequence patterns from history 
alert data. We use cor r el at i vi t y between two contextual elements i n t he 
attack sequence to correlate attack behaviors and identify potential attack 
intentions. The idea is easy to i rrpl errent and it can be used to detect 
novel mil t i -stage attack strategies compared with other techniques. 
Experiments show that our approach can effectively learn high level attack 
strategies and can accordingly predict next possible attack behavior, copy 
2007 I EEE. 15 Ref s. 
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Abstract: The main problem with current intrusion detection and 
prevention systems is high rate of false alarms triggered off by 
attackers . Effective protecting the network against attacks remains 
problem in both research and the computer network managing professionals. 
Improved monitoring of malicious attacks will require integration of 
mil ti pie monitoring systems. In our project we are analyzing potential 
benefits of distributed nrul t i sensor systems for intrusion detection. 
Cur main purpose for this work is to examine how t o integrate mil t i pi e 
i nt r usi on det ect i on sensors i n t he order to rrinirrizethe nurrber of 
i ncor r ect - al ar ms The first pr obi em i s how to i nt egr at e dat a f r om nrul t i pi e 

sensors , and the second how to identify most important data provided by 
mil t i pi e sensors . \Ae are currently developing series of analytical 
models to use potential benefits of rrul t i pi e sensors for reducing 
false alarms. The purpose of this presentation is to discuss 
i rrpl errent at i on of prototype mil t i sensor based intrusion detection system 
Vve are especially interested in analyzing traffic that has an abnormal or 
malicious character and should prompt a cl oser look. A speci f i c feature of 
the model i s t hat the systems use rail t i pi e sensors to process log 
f i I es. Thi s r educes t he over head in a di st r i but ed i nt r usi on det ect i on 
system The Snort left bracket 1 right bracket based mil t i pi e sensors 
syst em moni t or s two networks. Cur configuration allows generating Snort 
events with identical t i rrest arrps to ensure that we can successfully merge 
data from mil t i pi e snort sensors with identical t i rrest arrps. Cn both 
networks one web server is an Intel -based PC runni ng Mcrosoft W ndows 
2003, the second web server is Centos based Linux system Each Snort 
sensor is an I nt el - based PC runni ng CENTCS4. 3/4.4 wi t h Snor t 2. 3/ 2. 6 and 
m/SCL 4.3.10. Snort sensors are configured with identical rule sets to run 
in I nt r usi on Det ect i on Syst em mode, and to I og t o t he rvtySCL dat abase and 
alerts log files. In addition to monitoring online traffic we si rrul ate 
attacks and the attacker syst em is an Intel based PC running Fedora Core 
( FC4) laptop corrputer. The syst em i s i rrpl errent ed using Cpen Software 
whenever possible such as Snort, Honeypot , m/SCL etc. We have collected a 
large amount of data such as alert logs and rail t i pi e m/SCL databases 
and i rrproved snort rules design and we are currently finalizing processing 
those sets of data. This project is described in details on web site left 
bracket 4 right bracket . Cn t he whole, our information fusion based 
i nt r usi on det ect i on and pr event i on model is in f act a pr ot ot ype and needs 
to evolve into rare mature and efficient model . Future work emphasizes a 
r evi si t of dat abase desi gn to al I ow mor e ef f i ci ent dat a f usi on f r om 
mil t i pi e sensors . 4 Ref s. 
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Abstract: The security of corrput er networks is a pr i rre concern today. 
Various devices and methods have been developed to offer different 
ki nds of pr ot ect i on (fir ewal Is, I DS ' s, ant i vi r uses, et c. ) . By cent r al I y 
st or i ng and pr ocessi ng t he si gnal s of t hese devi ces, it is possi bl e to 
detect more cheats and attacks than si rrpl y by analysing the logs 
i ndependent I y. The most di f f i cul t and st i I I unsol ved pr obi em i n 
centralized systems is that vast numbers of false alarms . If a harmless 
pat t er n, whi ch caused by a saf e oper at i on is i dent i f i ed as an al ar m , 
then it is a nuisance and requires human invention to be handled properly. 
In this paper we show how we can use dat a rri ni ng t o di scover t he pat t er ns 
t hat f r equent I y causes f al se al ar ms. Due t o t he new r equi r errant s ( event s 
with many attributes, invertible parametric predicates) none of the 
previously published algorithms can be applied to our pr obi em di r ect I y. We 
present the algorithm ABAM3EP, which discovers frequent alert -ended 
episodes. V\e prove that the al gor i t hm i s correct i n t he sense that it 
finds all episodes that meet the requirements of the specification. 16 
Ref s. 
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Abstract: Intrusion detection corrpl ement s prevention mechanisms, such as 
firewalls, cryptography, and authentication, to capture intrusions into an 
information syst em whi I e they are acting on the information system Cur 
study investigates a rrul t i var i at e quality control technique to detect 
i nt r usi ons by bui I di ng a I ong- 1 er m pr of i I e of nor rral act i vi t i es i n 
information systems ( nor m pr of i I e) and using the normprofile to detect 
anomalies. The rrul t i var i at e quality control technique is based on 
Hot el I i ng' s T**2 test that detects both count er r el at i onshi p anomalies 
and mean- shift anorral i es . The per f or rrance of t he Hot el I i ng' s T* * 2 t est 
is examined on two sets of computer audit data : a small data set 
and a large rrul t i day dat a set . Both data sets contain sessions of normal 
and i nt r usi ve act i vi t i es. For t he smal I dat a set , t he Hot el I i ng' s T**2 
test signals all the intrusion sessions and produces no false alarms for 
t he nor rral sessi ons For t he I ar ge dat a set , t he Hot el I i ng' s T* *2 t est 
signals 92 percent of the intrusion sessions while producing no false 
al ar ms for t he nor rral sessi ons. The per f or rrance of the Hot el I i ng' s T* * 2 
test is also corrpared with the performance of a more scalable rrul t i var i at e 
technique - a chi -squared distance test. 28 Refs. 
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Intrusion Detection has emerged as a powerful component of network 
security systems. A wi de range of hardware and software components exist 
to meet rrost basic security needs on all platforms. These systems log 
system usage that could be considered as a breach of security in many 
networks. However, signature based intrusion detection systems have one 
catastrophic downfall, i n t hat the nurrber of alerts being logged can 
quickly outgrow the amount of resources necessary to investigate this 
anomalous behavior. This thesis explores the use of a fuzzy logic based 
analysis engine that gives an overall threat level of an intrusion 
det ect i on sensor , pr i or i t i zi ng al ert s t hat ar e t he most t hr eat eni ng. Thi s 
application gives security personnel a launching point to det er ni ne where 
secur i t y hoi es exi st and a snapshot of t he t hreat s t hat exi st i n a syst em 

The fuzzy logic syst em is based on a set of membership functions that 
def i ne cert ai n met ri cs f rom an al ert dataset and a set of rul es t hat 
det er rri ne at hr eat I evel based on t he def i ned met r i cs. Thi s appl i cat i on 
functions as a proof of concept prototype for an administrative tool that 
can analyze mil t i pi e sensors across rail t i pi e networks and give a 
reasonable output of the threat level across a ser i es of intrusion 
detection sensors on a network. Initial testing indicates prorrising 
performance results for testing the threat level of a remote sensor using 
t hi s met hodol ogy. 
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Abstract: We investigate the problem of defending wireless sensor 
networks against attacks that disrupt dynani c routing protocols. We propose 
a novel i nt r usi on det ect i on syst em t hat det ect s t he pr esence of a si nkhol e 
attack, or any attack that rri si eads traffic by understating the cost of an 
attack route. CUr study shows that protocols designed to select the 
shortest path between two nodes will, through time, select a series of 
paths whose length exhibits a log -normal distribution. By deriving 
tolerance I i rri t s from the I ognor mal distribution of path lengths under 
normal conditions, we develop an anomaly detection scherre that detects 
sinkhole attacks in a corrput at i onal I y ef f i ci ent manner. We show t hat our 
schema can detect attacks with 96% accur acy and no false alarms using a 
si ngl e det ect i on syst em i n a si mil at ed net war k. ( 12 Ftef s) 

Subf i I e: B 

Descriptors: log normal distribution; routing protocols; 
t el ecorrrruni cat i on network management ; t el ecorrrruni cat i on security; wireless 
sensor networks 

Identifiers: hop-count monitoring; sinkhole attack detection; wireless 
sensor networks; dynamic routing protocols; intrusion detection system 
log- nor mal distribution; anomaly detection schema 

Class Codes: B6250 (Radio links and equipment ); B621 OC ( Net wor k 
management); B61 50M ( Pr ot ocol s) ; B61 50P ( Corrrruni cat i on net wor k desi gn, 
pi anni ng and r out i ng) ; B0240Z ( Ct her t opi cs in st at i st i cs) 

Copyright 2008, The Institution of Engineering and Technology 


16/5/7 (Item 2 f romf i I e: 2) 

Dl ALOG( R) Fi I e 2: I NSPEC 

(c) 2008 Institution of Electrical Engineers. All rts. reserv. 

09598961 I NSPEC Abst r act Nurrber: C2005- 1 1 - 61 50N- 289 
Ti 1 1 e: M ni ng I ogs f i I es f or corrput i ng syst em management 

Author(s): \Aei Peng; Tao Li; Sheng Ma 

Author Affiliation: Sch. of Corrput . Sci . , FI or i da I nt . Univ., Marti, FL, 
USA 

Conference Title: Proceedings. Second International Conference on 

Autonorric Corrput i ng p. 309- 10 

Publisher: I EEE Corrput . Soc, Los Alarritos, CA, USA 

Publication Date: 2005 Country of Publication: USA xi i i +396 pp. 

ISBN: 0 7695 2276 9 Material I dent i t y Nurrber : XX- 2005- 01 003 

U.S. Copyright Clearance Center Code: 0 7695 2276 9/ 2005/ $20. 00 

Conference Title: Proceedings. Second International Conference on 

Autonorric Corrput i ng 

Conference Sponsor: I EEE Corrput . Soc; Nat. Sci. Found 

Conference Date: 13-16 June 2005 Conference Location: Seattle, W\, USA 
Language: English Document Type: Conference Paper (PA) 
Treatment: Practical ( P) 

Abstract: Wth advancement in science and technology, corrput i ng syst errs 
become increasingly more difficult to rronitor, manage and maintain. 
Traditional approaches to system management have been largely based on 
domai n experts through a knowledge acquisition process to translate domain 
knowledge into operating rules and policies. This has been experienced as a 
cumbersome, labor intensive, and error prone process. There is thus a 
pressing need for automatic and efficient approaches to rronitor and manage 
corrpl ex corrput i ng systems. A popular approach to syst em management is based 
on analyzing syst em I og files. However, several new aspect s of the system 
log data have been less errphasi zed in existing analysis methods and posed 
several challenges. The aspects i ncl ude di spar at e formats and relatively 
short text messages in data reporting, asynchronous data collection, and 
terrporal characteristics in data representation. First, a typical corrput i ng 
system contains different devices with different software corrponents, 
possibly from different providers. These various corrponents have rail t i pi e 
ways to report events, conditions, errors and alerts . The heterogeneity 
and inconsistency of log formats make it difficult to automate problem 
det er rri nat i on To per f or m aut omat ed analysis, we need to categorize the 
text messages with disparate formats into comron situations. Second, text 
messages in the log files ar e r el at i vel y short with a large vocabulary 
size. Third, each text message usually contains a t i rrest arrp. The terrporal 
characteristics provide additional context information of the messages and 
can be used to facilitate data analysis. In this paper, we apply text 
mining to automatically categorize the messages into a set of comron 
categories, and propose two approaches of incorporating terrporal 
information to i rrprove the categorization performance. (4 Refs) 
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Abstract: Security teams try to detect attacks and internal rri suse by 
wading through and making sense of an overwhelming amount of raw event data 
generated from firewalls, intrusion detection syst errs, vulnerability 
reports, routers, corrput er syst errs and other devices. This process does not 
provide the coherent view of their networks necessary to successfully 
manage threats. A solution for this problem is an emerging security 


itegory called security event management ( SEMi . SEM syst errs automatically 
jgregate and correlate security event log data across mil t i pi e types of 
security devices allowing security analysts to focus on critical tasks 


that require human intelligence, such as investigating the source of 
attacks and responding to them There are a wide variety of SEM sol ut i ons, 
but at the core of all of these solutions is the ability to correlate 
alerts across a heterogeneous security environment. Correlation of event 

data is critical to uncover security breaches because security incidents 
are made up of a series of events that occur at various touch points 
throughout a network. Unlike network management, which typically is 
except i on- based or a one-to-one process, security management is far more 
complex. An attack typically touches a network at rail t i pi e points and 
leaves marks or breadcrumbs at each. By finding and following that 
breadcrumb trail, a security analyst can detect and hopefully prevent the 
at t ack. 
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Abstract: Corrput er crime and more particularly corrput er hacking has 
become increasingly active in today's business environment. Proof of this 
statement is a survey corrpl et ed by the Corrput er Security Institute and the 
FBI which revealed that corporations, banks and governments all face a 
growing threat from computer crime (Berst, 1999). Different methods can be 
used to control access to corrput er networks such as firewalls, but none is 
hacker -proof. New ways and means rrust therefore be defined which will 
trinimse or el i rri nat e corrput er crime. These ways should involve the 
utilisation of audit logs and user profiles in a proactive sense. Typical 
proactive actions that can be defined include: online monitoring, template 
analysis, generation of reports and generation of alert signals. The 
obj ect i ve of t he paper is to def i ne and descr i be a proact i ve model whi ch 
will identify a hacking at t errpt before it has been performed, on any 
computer system with more effective and easy to use graphical interfaces. 
This model should also provide useful tools for the security officer. It 
will inform the officer of different levels of hacking at t errpt s according 
to statistical predefined norms. (14 Ftefs) 
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Abstract: Security event management prorrises clarity am d the alarms. The 
typical large enterprise routinely is inundated with secur i t y- r el at ed 

alerts f rom het erogeneous security devices (intrusion detection systems, 
firewalls, VPN gateways and platforms). Network security managers are 
awakened at all hours by various events that seem to demand their i rrmedi at e 
attention. These managers f i nd t hemsel ves attempting manually to inspect or 
decipher reports of security anorral i es from am d the reams of logs 

generated by their organization's array of security devices -an 
i rrpossi bl e task. To make sense of all this information, security managers 
need an operational view of the security health of the enterprise. This 


article looks at strategies to alert properly, categorize and react to 
security events as they occur. Security event managerrent is a corrbi nat i on 
of the security and network management disciplines. It requires not 
only the proper infrastructure, but the correct processes. An enterprise 
trying to i rrpl errent SEM t oday faces an impressive integration challenge. ( 
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ABSTRACT: 

Wth advancement in science and technology, computing syst errs become 
increasingly rrc-r e di f f i cul t to monitor, manage and maintain. Traditional 
approaches to syst em managerrent have been largely based on domain experts 
t hr ough a knowl edge acqui si t i on process t o t r ansl at e dorrai n knowl edge i nt o 
operating rules and policies. This has been experienced as a currber sorre, 
labor intensive, and error prone process. There is thus a pressing need for 
automatic and efficient approaches to monitor and manage corrpl ex corrput i ng 
systems. A popular approach to syst em managerrent is based on analyzing 
syst em log files. However, several new aspects of the syst em I og data have 
been less errphasi zed in existing analysis methods and posed several 
challenges. The aspects include disparate formats and relatively short text 
massages in data reporting, asynchronous data collection, and terrporal 
char act er i st i cs i n dat a r epr esent at i on. First, atypical corrput i ng syst em 
contains different devices with different software corrponents, possibly 
f r om di f f er ent providers. These various corrponents have rrul t i pi e ways to 
report events, conditions, errors and alerts . The heterogeneity and 
inconsistency of log formats make it difficult to automate problem 
det er rri nat i on . To perf or m aut omat ed analysis, we need to categorize the 
text massages with disparate formats into common situations. Second, text 
messages in the log files are relatively short wi t h a large vocabulary 
size. Third, each text massage usually contains a t i mast arrp. The terrporal 
characteristics provide additional context information of the messages and 
can be used to f aci I i t at e dat a anal ysi s. I n t hi s paper , we appl y t ext 
rri ni ng to automatically categorize the massages i nt o a set of corrmon 
categories, and propose two approaches of incorporating terrporal 
information to improve the categorization performance. 

DESCRI PTCRS: BAYES METHOD; DATA FORMAT; OBJECT CRI ENTED PROGRAMvl NG, SYSTEM 
CONTROL; KNOALEDGE ACCUI SI Tl ON; I NFCRMATI ON PRESENTATI ON; DATA ANAL YSI S 
I DENT I FI ERS: BEREI CHSKENNTNI S; BETRI EBLI CHE POL I Tl K; ZEI TLI CHE 
KENNZEI CHNUNQ SCFT\AARE KOVPCNENTE; KCNTEXTI NFCPJVATI ON; TEXTSCHUERFEN; 
Bayes- Verf ahr en; Dat engewi nnung 
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be especially useful to enterprise net wor k managers struggling to 
consol i dat e and i nt er pr et audi t i ng dat a from mil t i pi e NT servers . 

+ Aut omat i cal I y corrbi nes secur i t y event - I og dat a f r om mil t i pi e 
servers ; corrpi I es analysis into attractive graphs and reports; alerts 
adrri ni st r at or s to present threats ; easy to install and use; automatically 
set s NT audi t i ng opt i ons. 

- Does not scan E- rrai I . . . 

...block connections with prohibited hosts; does not detect network attacks 
on most services; has United alerting capabilities. 

Scoring rret hodol ogy: www. pcweek. corn r evi ews/ rret h. ht ml 

Intrusion Detection Inc., New York (800... 

...the data into coherent patterns, expose dangers using t hr ee- di rrensi onal 
graphs and printed reports, and alert administrators to security threats 
i n near - r eal t i rre. 

KSM does not, however, alert administrators to outside network 
service attacks (such as PI IMG f I oods or deni al - of - ser vi ce attacks... 
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a piece of software that captures passwords on the network. 
The I SS progr am sends a warning flag. Scanning can take anywhere 
from five minutes to a month, depending on the number... 

. . . carrer a i nsi de a net wor k of up t o 50 corrput er s. The adrri ni st r at or can 
thus keep a log on al I transactions and look for suspicious activity. 

Novell was the first to license Klaus' scanner, for $20, 000- - a nurrber 
Kl aus. . . 

. . . asked to see a derm of Kl aus' sof t war e. Afewrri nut es i nt o the derro an 
alarm went off. The scanner had broken into the classified Jet Propulsion 
Laboratory and pulled a... 

...price list. Current prices: $10 to $80 per corrputer for the scanner, 
depending on how many computers are on your network. The monitor costs 
$5, 000. 

The 75 errpl oyees of I SS work. . . 
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server or workstation. 
Power Alert Plus software monitors power data from a SIVART Series UPS. 
Custom alarms can be set on the console, as well as remote testing for 
t he UPS syst errs. . . 

...pulling on-line and historical information from servers and workstations 
on the UPS syst errs. All detected power irregularities are consolidated 
in a si ngl e Mast er Network Power Log by Power Al ert Plus. See Figure 4 for 
a vi ew of the Power Men Plus console. 

The sof t war e pool s al ar ms f r om al I Tr i pp Li t e LAN UPSs, and f r om 
most of t he corrpet i t i on' s model s. The. . . 

. . . you t o be at a wor kst at i on to r evi ew power event s. 

Power Alert Plus lets you cust orri ze alarm set points for load 
percentage, battery charge level, input voltage, and t I PS internal 
t errper at ur e. Conditions can be monitored on4i ne, but when alarms are 
tripped, entries are created i n t he Master Log. Power Alert Plus also lets 
you schedul e. . . and save t he pr of i I e f or I at er r ecal I . Thi s t ool is user i d 
for the rranagerrent of many SNIvP devices on a network, not just UPS 
syst errs. The prof i I es are I aunched f rom t he MB browser . . . 
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of customers, SCCs and Managed Security Service Providers ( M3SP) , 
and user s. " 

Large, global networks have many different security devices 
and syst errs from many vendors, with differing abilities to log security 
events or block attacks. Typically, these networks include Intrusion 
Detection Systems (IDS), firewalls, servers, and routers. NeuSecure, a new 
class of threat rranagerrent software for information security operations, 
aggregates threat i nf or mat i on f r om rail t i -vendor, rail t i - device 
net wor ks to i rrpr ove ent er pr i se secur i t y, del i ver i ng r eal - 1 i me t hreat 
analysis and response capability to security analysts . NeuSecure solves 
the issue of " Log data overload" by consolidating log data from your 
many security products, correlating the data, and then identifying the 
"real" threat - hastening critical decisions and response. 

NeuSecure functionality provides security rranagerrent and reporting, 
correlating events and alerts generated by CPSEC- corrpl i ant security 
solutions to provide event monitoring and analysis. 

About GuardedNet ( TM . . 
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tools deliver and corrpl errent Q sco' s overall security management 
strategy consisting of si ngl e- devi ce management, rrul t i - device 
management, such as Ci scoWbr ks2000, and end- to- end pol i cy- based management, 
such as Q sco Secur e. . . 

... At a gl ance, adrri ni st r at or s can vi ew gr aphi cal r epor t s surrmar i zi ng 
network activity, resource utilization and event logs , allowing 
performance and trend analysis . PDM s logging and notification features 
also al I ow secur i t y staff to detect and interrupt suspicious activity. 

The embedded design of these device managers enables Q sco customers 
to manage PI X f i r ewal I s. . . 
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be accessed remotely from any NT server on the network. 
Emergency File Blocking -- For virus alert situations, 
adrri ni st r at or s can use this f eat ur e to bl ock i ncorri ng f i I es by file name, 
type, etc., (the recent ExIoreZip wor m f i I e attachment, for instance) while 
still permitting other non- threatening email to pass through. Blocked 
files can either be deleted or quarantined. An extensive log of all 
bl ocked f i I es is aut orrat i cal I y gener at ed f or I at er anal ysi s and 
i nspect i on. 

Active Update Technology -- Scanlvai I now aut orrat i cal I y updates and 
installs new scan engine, pattern file and programfiles si rrul t aneousl y to 
mil t i pi e Exchange servers via a si ngl e but t on cl i ck wi t hout t he need t o 
r eboot enabl i ng a qui ck r esponse to... scan engi ne, pat t er n file and pr oduct 
versi on i s runni ng on a part i cul ar server and aut orrat i cal I y not i f i es t he 
administrator if any of the Scanlvai I servers is inactive or has stopped 
f unct i oni ng. 

Scanlvai I f or Exchange can be cent ral I y depl oyed to rail t i pi e 
Exchange servers , which can all be configured updated, and managed from 
Trend Mcro's web- based central... 
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IP network on a si ngl e server or workst at i on and can si rrul at e a 
network containing several different types of network devices , 
including W ndows NT servers, Unix servers and routers. Each virtual 
network device has a real... 

...it becomes a pr obi em " 

Cyber Cop Sting provides a nurrber of benefits for security 
administrators, including: 

Detection of suspicious activity inside network; Log files 

serve to 

alert administrators to potential attackers prying into reserved 

ar eas. 


* Ability to record suspicious activity without sacrificing any 

systems or protected information. 

* Vi r t ual decoy net wor k can cont ai n mil t i pi e. . . 
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I BM 

LAN Server, and TCP/IP protocols, it also enables a network manager 
t o set al ar ms on near I y 50 condi t i ons r el at ed to LAN st abi I i t y based 
on traffic analysis, including excessive or unusually I ow densi t i es 
of various request types, server 

announcement s, logins, broadcasts, 

and other phenomena. Wien abnormal conditions arise, Ether Probe's 
alarms detect them log 

t hem t o a f i I e, i ssue opt i onal popups on t he 
screen, and can even trigger capture... 
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AXENT Technologies Inc. ( NASDAQ AXNT) , IVbnday announced the 
availability of its Qmi Qiar d/ 1 nt r uder Alert ( I TA) version 2.3 for 
W ndows NT. Thi s r el ease of I TA gi ves users t he abi I i t y. . . 

...have enough people to review those logs. In addition, because these logs 
are produced by rail t i pi e servers running rail t i pi e operating systems, it 
is difficult to correlate audit events across different platforms. Even if 
suspicious activity is discovered i n t he audit logs , it is often too 
late to do anything about it," said Pete Privateer, AXENT' s. . . 
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from the academe and Unix worlds. These products do far more than 
just sound the alarm; they predict security problems, help assess the 
extent of damage, are instrumental in prosecuting cyber of f ender s, and may 
undo some of t he damage. 


Si rrpl y put , an I DS i s a corrbi nat i on ear I y- war ni ng syst em and 
post -event auditing tool. The syst em wor ks by exam ni ng and reporting 
secur i t y i nci dent s. . . 

...by the firewall can signal an i npendi ng denial of service ( DoS) attack. 

Irrportant Clues Like many other computer subjects, I DSes have 
certain features over which many corrpet i t i ve claims are made. Some areas 
ar e. . . 

. . . some onl y of f er one or t he ot her . Real - 1 i me wor k I et s t he I DS sound t he 
alarm to the staff. The downside i s t hat real -time analysis requires 
substantial corrput i ng power and... 

...security events that don't require a real-time response and by applying 
several statistical analyses on the logs looking for anomalies . If 
you have a choi ce, go f or an I DS wi t h bot h capabi I i t i es. 
Sensor PI acerrent Wiere. .. 
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ABSTRACT: 
TEXT: 

. . . di st r i but ed t ype oper at e on t he i dea t hat t he at t acker , wi t h cl i ent 
software, can remotely control several servers to launch the attacks 
through a "master" server. "To rry knowledge, the attack carre from.. 

. . . news site get s 2. 5 ni I I i on page vi ews each day. CNN, whi ch uses si x 
ISPs, noticed problems with its routers at around 7 p. m last Tuesday. 
"The attack was broadly... 

...working realized the attack was on, at about 7 a. m last Tuesday, they 
started looking for suspicious traffic patterns in the server logs 
and upst ream rout ers. Af t er SYN f I oodi ng was deter m'ned t o be t he cause, 
GTE I nt er net wor ki ng began f i I t er i ng out i I I egi t i mat e t r af f i c at the r out er . 
Cooper . . . 
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a rrachi ne was t r ansrri 1 1 i ng I egi t i mat e dat a, accor di ng t o Kondi I as. 

To avoid being overwhelmed by false alarms , IT managers at Cwest 
are documenting each false positive. By recording exactly what is happening 
i n t he network at t he t i me an alarm triggered, operators can det er ni ne if 
si ni I ar event s in t he f ut ur e ar e f al se al arms , he sai d. 

Since network- and host -based systems each have strengths and 
weaknesses, some vendors... 

...deter nine if the cause is a hacker or a bad router, and they also can 


look into the event log to see if there is suspicious activity, Hodges 
sai d. 

Both Axent and I SS introduced hybrid systems last year. I SS 
Real Secure can pull i nf or mat i on f r om mil t i pi e network sensors and 
systems agents to track activity across a range of devices and systems. But 
t hat . . . 
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be especially useful to enterprise network managers struggling to 
consol i dat e and i nt er pr et audi t i ng dat a f r om mil t i pi e NT servers . 

+ Aut omat i cal I y corrbi nes secur i t y event - I og dat a f r om mil t i pi e 
servers ; corrpi I es analysis into at t r act i ve gr aphs and reports; alerts 
administrators to present threats ; easy to install and use; automatically 
set s NT audi t i ng opt i ons. 

- Does not scan E- rrai I . . . 

...block connections with prohibited hosts; does not detect network attacks 
on most services; has I i rri t ed alerting capabilities. 

Scoring rret hodol ogy: www. pcweek. com' r evi ews/ met h. ht rri 

Intrusion Detection Inc., New York (800... 

...the data into coherent patterns, expose dangers using three-dimensional 
graphs and printed reports, and alert adrri ni st r at or s to security threats 
i n near - r eal t i rre. 

KSM does not, however, alert adrri ni st rat or s to outside network 
service attacks (such as PI NG f I oods or deni al - of - ser vi ce attacks... 
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a piece of software that captures passwords on the network. 
The I SS progr am sends a warning flag. Scanning can take anywhere 
from five rri nut es to a month, depending on the nurrber... 

. . . carrer a i nsi de a net wor k of up t o 50 corrput er s. The adrri ni st r at or can 
thus keep a log on al I transactions and look for suspicious activity. 

Novell was the first to license Klaus' scanner, for $20, 000- - a nurrber 
Kl aus. . . 

. . . asked t o see a derro of Kl aus' sof t war e. A f ew rri nut es i nt o t he derro an 
alarm went off. The scanner had broken into the classified Jet Propulsion 
Laboratory and pulled a... 

. . . pr i ce I i st . Current prices: $10 to $80 per corrput er for the scanner, 
depending on how many corrput ers are on your network. The monitor costs 
$5, 000. 

The 75 errpl oyees of I SS work. . . 
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corrpl ex blueprints for electronic devices that take years to 

per f ect . 

In Septerrber 1994, Cadence grew suspicious of engineer Mtsuru 
"Mtch" I gusa when he left the corrpany and refused to sign a 
confidentiality agreement. Checking corrputer logs , the corrpany' s 
internal networking staff discovered several very large corrputer file 
transfers to I gusa' s horre machine, recorded days before his departure. 
Bel i evi ng t hey wer e. . . 

...to resolve software discrepancies between a Cadence product and a 
corrpet i ng application fromAvant!. He noticed a bug in Avant ! ' s 
sof t war e- - a bug he had or i gi nal I y cr eat ed in t he Cadence. . . 
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Wien the headlines hit horre. (catastrophic risk assessment) 

Vol I enwei der , Dal e 

Best's Review- Li f e- Heal t h Insurance Edition, v88, n8, p22( 4) 
Dec, 1987 

I SSN: 0005- 9706 LANGUAGE: ENGLI SH RECORD TYPE: FULLTEXT 

VCRD COUNT: 2751 LI NE COUNT: 00230 

catastrophic risk associated with their client groups that are 
partially self-funded. Such insurers should inform their clients of their 
potential catastrophic losses and help t hem t o avoid, reduce or transfer 
this risk. Wii I e exper i ence- r ef und pooling schemes provide sorre 
catastrophic r i sk- shar i ng, many group clients prefer the peace of rri nd 
that corres with guar ant eed- pr erri urn cat ast r ophe reinsurance protecting their 
own. . . 

. . . rrerrber of a known concent rat i on. Wien appl i cat i ons come in fromot her 
rrerrbers of the same risk gr oup- - 1 earrmat es on the same sports team for 
exarrpl e- - a qui ck check of the I og ' s ent r i es wi I I deter rri ne whether 
t he accept ance of this appl i cat i on wi I I I ead t o a cat ast r ophi c risk 
over r et ent i on. 

Although this met hod is not foolproof, it can help point to sorre 
I ar ge pot ent i al . . . 
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M crocorrput ers in mcrobiology: a matter of special needs. 

Har r el I , Li zzi e J. 

Medical Laboratory Observer, v16, p57(5) 
May, 1984 
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furnish sorre date processing capability. Over the long term we 
would work with manufacturers on mare thorough corrputer programs. 


Since our rrai nf r arre hospital corrput er is basically an information 
syst em- - 1 r ansf er r i ng lab results to... 

. . . CC was a syst em t hat woul d mom t or medi a i nput and out put and st or e 
performance testing checks and equipment maintenance logs . As t o 
flagging unusual results, we identified three areas where a corrput er 
could save us t i me identifying unusual rricrobes, spotting unusual 
antibiotic susceptibility patterns, and alerting us to the ci r currst ances 
of sever al speci mens f rom t he same si t e on a gi ven pat i ent . . . 
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Web attackers run roughshod 

Qttlen, Sandra; Messmer, Ellen; Pappal ardo, Deni se 
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...TEXT: distributed type operate on the idea that the attacker, with 
client software, can remotely control several servers to launch the 
attacks through a master" server 

"To my knowledge, the attack came from.. 

. . . news site get s 2. 5 ni U I i on page vi ews each day. CNN whi ch uses si x 
ISPs, noticed problems with its routers at around 7 p. m last Tuesday" The 
at t ack was br oadl y. . . 

. . . I nt er net war ki ng r eal i zed t he at t ack was on, at about 7 a. m I ast 
Tuesday, they started looking for suspicious traffic patterns in the 
server logs and upst r earn r out er s. 

After SYN f I oodi ng was deternined to be the cause, GTE Internetworking 
began filtering out i I I egi t i mat e t r af f i c at the r out er . Cooper . . . 
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...TEXT: corrpl ex blueprints for electronic devices that take years to 
per f ect . 

In Sept enter 1994, Cadence grew suspicious of engineer Mtsuru " M t ch" 
I gusa when he I ef t t he corrpany and r ef used to sign a conf i dent i al i t y 
agreement. Checking computer logs , the company's internal networking 
staff discovered several very large corrput er file transfers to 
I gusa' s home machine, recorded days before his departure. Believing they 
wer e. . . 

...to resolve software discrepancies between a Cadence product and a 
corrpet i ng appl i cat i on f r om Avant ! . He not i ced a bug i n Avant ! ' s 
sof t war e- - a bug he had or i gi nal I y cr eat ed in t he Cadence. . . 


12/3, K/ 20 (Item 3 fromfile: 15) 

Dl ALOG( R) Fi I e 15: ABI / 1 nf or m( R) 

(c) 2008 ProQjest I nf o&Lear ni ng. All rts. reserv. 
00643981 92-58921 

Day Care: Insurers Are Taking Another Look 

Di az, Li sa 


Rough Notes v135n10 PP: 16-17 Oct 1992 
ISSN: 0035-8525 JRNLCCDE: RNO 
V\CRD CCUNT: 1253 

...TEXT: i s st i I I in sorre respects problematic, but feels it has shown some 
i rrpr overrent . "I've not i ced a change of at t i t ude. I n t he past , t he mai n 
concern of insurers has been about... 

...but there are always qualifications that mist be satisfied before a 
policy i s sol d. In many instances, prospective clients rrust corrplete 
appl i cat i ons descr i bi ng al I aspect s of t he oper at i on and t he f aci I i t y rrust 
undergo an inspection. The corrpany then looks at the credentials and past 
claims history of the operator, evaluates the grounds for potential 
hazards, and makes its final decision based on i t s findings. 

Ther e ar e sorre r i sks t hat i nsur er s ar e j ust not wi I I i ng to t ake, however . 
I n- horre facilities, which many parents... 
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t ake i nt r usi on det ect i on to t he next I evel , as rror e corrpani es use 
the high-tech burglar alarms to identify attacks f r om out si der s as well 
as i nsi der s. 

I T manager s I ooki ng f or ways t o r educe f al se- posi t i ve al ar me ci t ed 
the need for better event correlation. 

Robert Kondi I as, a security manager at carrier Qwest... 

...SANS Institute, a training and consulting firm said, "The huge load of 
not -very- i rrport ant alarms has caused a conpl et e shi f t i n t he way peopl e 
do net wor k- based ID." He added... 

...that the beeper goes off so often that they can't possibly respond to 
every al arm . 

The f al se- posi t i ve probl em i s generally confined to net wor k- based 
intrusion detection systems that monitor... 

... packet - f I oodi ng attacks, rather than the host -based systems that 
monitor PC server and f i r ewal I logs for suspicious activity. 

For exarrpl e, an intrusion detection systems may confuse port scans 
from a network management tool such as Hewlett-Packard's... 

... a machi ne was t r ansrri 1 1 i ng I egi t i mat e dat a, accordi ng t o Kondi I as. 

To avoid being overwhelmed by f al se alarms , IT managers at Cwest 
are document i ng each false positive. By recording exactly what is 
happening i n t he network at t he t i rre an alarm triggered, operators can 
det er rri ne if si rri I ar event s i n t he f ut ur e ar e f al se al ar ms , he sai d. 

Since network- and host -based systems each have strengths and 
weaknesses, some vendors... 

...deter nine if the cause is a hacker or a bad router, and they also can 
look into the event log to see if there is suspicious activity, Hodges 
sai d. 

Both Axent and I SS i nt r oduced hybr i d syst errs last year. I SS 


Real Secure can pull i nf or mat i on f r om mil t i pi e network sensors and 
systems agents to track activity across a range of devices and systems. 
But t hat . . . 
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In running the security check on our own site, we discovered several 
of the Web server security holes discussed i n t hi s ar t i cl e. W did a 
rredi ocr e j ob on t he secur i t y checkl i st . . . 

. . . sarrpl es and which were really necessary for operation. Wfe didn't keep 
up wi t h security alerts , and we didn't check for vendor updates. In 
addi t i on, whi I e t est i ng t he CQ scr i pt i ng. . . 

...a sensitive program file in the CQ directory. Finally, three 
different people were responsible for different aspects of server 
operation. Wien files were changed or created, it was easy to assurre that 
i t was. . . 

...mapped out responsibilities, so it's clear who needs to take care of 
what. Ve check regularly for unusual occurrences i n t he server logs 
now . . . and we' re a I ot rrore paranoi d. 
Copyright (c) 1996 CIVP Ivedi a Inc. 
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QAEST CYBER SOLUTI CNS BEEFS UP SECLH TY 
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Text : 

. . . SERVER CPERATI NG SYSTEM AND APPLI CATI CNS, PRCVI Dl NG 24- 7 MONI TORI NG OF 
FI LES, SYSTEM APPLI CATI CNS AND APPLI CATI CN LOGS TO DETECT UNUSUAL 

ACTIVITY. CUSTOMERS RECEIVE REPORTS, THREAT ANALYSIS AND 

RECCMVENDATI CNS TO STOP ATTACKS. * NETVCRK I NTRUSI CN DETECTI CN. THI S IS 
OFFERED I N TWO PACKAGES. THE. . . 

... WHI CH ARE PLACED W THI N THE CI RCUI T TO TRANSPARENTLY MONI TOR NETWORK 
TRAFFI C 24X7. EVENTS TRI GGER AN ALERT TO CCS, WHI CH NCTI FI ES THE 
CUSTOMER AND WORKS WTH THE CUSTOMER TO CORRECT THE PROBLEM CUSTOMERS 
RECEI VE REPORTS, THREAT ANALYSI S AND RECOVMENDATI CNS TO STOP ATTACKS. THE 
SECCND PACKAGE I NCLUDES STANDARD SENSORS THAT TRANSPARENTLY MONI TOR THE 
NETWORK 24X7. WHEN AN EVENT I S DETECTED. CCS I S ALERTED AND NOTI FI ES 
THE CUSTOMER * STRONG AUTHENTI CATI CN. THI S ADDS A SECCND LEVEL CF 
AUTHENTI CATI CN SECURI TY BEYOND USERNAME AND. . . 
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Wib attackers run roughshod 


BY SANDRA G TTLEN, ELLEN MESSMER AND DEM SE PAPPALARDO 
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Publication Date: February 14, 2000 
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Text : 

... distributed type operate on the idea that the attacker, with client 

software, can remotely control several servers to launch the attacks 

through a "master" server. "To my knowledge, the attack came from.. 

. . . news site get s 2. 5 rri I I i on page vi ews each day. CNN, whi ch uses si x 
ISPs, noticed problems with its routers at around 7 p. m last Tuesday. 
"The attack was broadly... 

... working realized the attack was on, at about 7 a. m last Tuesday, they 
started looking for suspicious traffic patterns in the server logs 
and upst r earn r out er s. Af t er SYN f I oodi ng was deter rri ned to be the cause, 
GTE I nt er net wor ki ng began f i I t er i ng out i I I egi t i mat e t r af f i c at the r out er . 
Cooper . . . 
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Stealthy Trojan Horse atterrpts to gather data on Web sites 
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... file. Upon reboot, its.exe tries to retrieve another its.dat file from 
one of several Wab servers on the Internet. The purpose of the its.dat 
file is not cl ear , as it... 

... s investigation is still underway, and it is recorrrrendi ng that network 
adrri ni st r at or s take note of unusual port activity on ports 8080 and 3128. 
It also recorrrrends that administrators who notice unusual activity 
should check their servers' logs for unusual connections and their 
directories for odd or unf arri I i ar cgi scripts. The SANS I nst i t ut e, in 
Bet hesda, Ml, i s at www.sans.org. 


12/3, K/26 (Iteml fromfile: 810) 

Dl ALOG( R) Fi I e 810: Business Wre 

(c) 1999 Business Wre . All rts. reserv. 

0854653 BWI014 

CENTRAX: Year 2000 Wre/ Cent rax Announces Availability of eNTrax Security 
Sui t e f or W ndows NT 

May 26, 1998 

Byline: Business Edi t ors/ Conput er Witers 

. . . det ect i on and r esponse t echnol ogi es i n a si ngl e sol ut i on, al I owi ng 
syst em adrri ni st r at or s t o si ngl e- handedl y manage rail t i pi e conput ers 
across the enterprise from one central location. eNTrax rri ni rri zes the 
MS resources needed to adrri nister security over the enterprise by 
providing efficient threat detection and response solutions, effective 
audit policy creation and rranagerrent , centralized event log analysis 
and assessment , deterrence and attack anticipation. 

Paul E. Proctor, chief technical officer of Cent r ax states, 
" I nsi der rri suse. . . 

. . . cont r ol s and f i r ewal I s 

can' t addr ess. eNTr ax act s I i ke a vi deo sur vei I I ance syst em f or 
computers, notifying security personnel of possible breaches in 
security and then identifying the perpetrators." 


Corrbi ni ng expert security. 
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AXENT TEONCLOQ ES: AXENT Technologies Inc., announces avai I abi I i t y of 
real-time monitoring and intrusion detection for Wndows NT 
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. . . 1 996- - AXENT( TM) 
Technologies Inc. ( NASDAQ AXNT) , Monday announced the availability 
of its Qmi diard/ 1 nt r uder Alert ( I TA) version 2.3 for W ndows NTT. 

Thi s r el ease of I TA gi ves users t he abi I i t y. . . 

...have enough people to review those logs. In addition, 
because these logs are produced by rail t i pi e servers running rail t i pi e 
operating systems, it is difficult to correlate audit events across 
different platforms. Even if suspicious activity is discovered in 
the audit logs , it i s of t en t oo I at e t o do anything about it," said 
Pete Privateer, AXENT' s. . . 
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Cent rax Announces Availability of eNTrax Security Suite for Wndows NT 
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... detection and response technologies in a si ngl e sol ut i on, allowing 
system adrri ni st r at or s to single-handedly manage roil t i pi e corrputers 
across the enterprise from one central location. eNTrax ni ni ni zes the MS 
resources needed to adm'nister security over the enterprise by providing 
efficient threat detection and response solutions, effective audit policy 
creation and rranagerrent , centralized event log analysis and assessment 
, deterrence and attack anticipation. 

Paul E. Proctor, chief technical officer of Cent rax states, "Insider 
ni suse. . . 

... controls and firewalls can't address. eNTrax acts like a video 
surveillance system for corrputers, notifying security personnel of 
possible breaches in security and then identifying the perpetrators." 

Corrbi ni ng expert security... 
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. . . t ool s del i ver and corrpl errant Q sco' s 

overall security management strategy consisting of si ngl e- devi ce 


management , 

nrul t i - device management, such as Q scoWir ks2000, and end- to- end 
pol i cy- based 

management, such as Cisco Secure... 
... At a gl ance, 

administrators can vi ew gr aphi cal reports summarizing network activity, 
resource utilization and event logs , allowing performance and trend 
anal ysi s . 

PDM s logging and notification features also al I ow secur i t y staff to 
det ect 

and interrupt suspicious activity. 

The embedded design of these device managers enables Qsco customers to 
manage 

PI X f i rewal I s. . . 


